Resource attributes


Access token customization

P14C Access Tokens are signed JWTs (JSON Web Tokens) that include identity claims about and attributes of the requestor, usually a user identity. The resource attributes service lets you customize the content of access tokens by adding custom attributes and their values. This is a great way to convey additional information about the user to applications.

Resource attributes are essentially custom identity claims associated with a resource. For example, suppose the clothing.preferences resource with scope sizes provides “clothing size” user claims in the token. By default, the sizes scope does not include a t-shirt size user claim. To include the user.tshirtSize user attribute as a user claim in the token, a resource attribute entity can be created that associates the tshirtSize attribute with the clothing.preferences resource. Then, for token requests to clothing.preferences with scope sizes, the tshirtSize user claim is included in the token. The following diagram shows the workflow:

Resource attributes

For information about an access token’s core claims, see Access token claims. A token’s core identity claims cannot be modified or deleted.

Resource attributes API operations

The resources attributes endpoints support the following operations:

For hands-on experience with the resource attributes API endpoints, click the Run in Postman button below to download a Postman collection that you can import and open in your local Postman application.

Resource attributes data model

Property Description
name A string that specifies the name of the custom resource attribute to be included in the access token. The following names are reserved and cannot be used:
  • acr
  • amr
  • aud
  • auth_time
  • client_id
  • env
  • exp
  • iat
  • iss
  • jti
  • org
  • p1.* (any name staring with the p1. prefix)
  • scope
  • sid
  • sub
type A string that specifies the type of resource attribute. Options are:
  • CORE: The claim is required and cannot not be removed.
  • CUSTOM: The claim is not a CORE attribute. All created attributes are of this type.
value A string that specifies the value of the custom resource attribute. This value can be a placeholder that references an attribute in the user schema, expressed as “${user.path.to.value}”, or it can be a static string. Placeholders must be valid, enabled attributes in the environment’s user schema. Examples fo valid values are: “${user.email}”, “${user.name.family}”, and “myClaimValueString”.

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
404 The requested resource was not found.

Endpoint examples

Get attributes for a resource

To get the list of custom attributes associated with a specified resource, the GET /environments/{environmentId}/resources/{resourceId}/attributes operation returns data for the attributes associated with the resource entity ID specified in the request URL.

curl -X GET "https://api.pingone.com/v1/environments/{environmentId}/resources/{resourceId}/attributes" \
-H "Authorization: Bearer jwtToken"

The response data looks like this:

{
  "_links": {
    "self": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf/attributes"
    }
  },
  "_embedded": {
    "attributes": [
      {
        "_links": {
          "self": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf/attributes/8370d62d-ba19-4ee7-b9c6-11928749b13c"
          },
          "resource": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
          },
          "environment": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
          }
        },
        "id": "8370d62d-ba19-4ee7-b9c6-11928749b13c",
        "environment": {
          "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
        },
        "name": "nickname",
        "value": "${user.nickname}",
        "type": "CUSTOM",
        "resource": {
          "id": "faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
        }
      },
      {
        "_links": {
          "self": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf/attributes/84c17bdd-1aa4-4902-bea7-4e05fa853286"
          },
          "resource": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
          },
          "environment": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
          }
        },
        "id": "84c17bdd-1aa4-4902-bea7-4e05fa853286",
        "environment": {
          "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
        },
        "name": "updatedName",
        "value": "updatedValue",
        "type": "CUSTOM",
        "resource": {
          "id": "faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
        }
      },
      {
        "_links": {
          "self": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf/attributes/e41aec20-6eaa-4baa-a1c1-ae4a305244b1"
          },
          "resource": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
          },
          "environment": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
          }
        },
        "id": "e41aec20-6eaa-4baa-a1c1-ae4a305244b1",
        "environment": {
          "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
        },
        "name": "email",
        "value": "${user.email}",
        "type": "CUSTOM",
        "resource": {
          "id": "faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
        }
      }
    ]
  },
  "count": 3,
  "size": 3
}

Get one resource attribute

To get data for a single custom attribute resource, the GET /environments/{environmentId}/resources/{resourceId}/attributes/{resourceAttributeId} operation returns data for the resource attribute identified by its ID in the request URL.

curl -X GET "https://api.pingone.com/v1/environments/{environmentId}/resources/{resourceId}/attributes/{resourceAttributeId}" \
-H "Authorization: Bearer jwtToken"

The response data looks like this:

{
  "_links": {
    "self": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf/attributes/84c17bdd-1aa4-4902-bea7-4e05fa853286"
    },
    "environment": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
    },
    "resource": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
    }
  },
  "id": "84c17bdd-1aa4-4902-bea7-4e05fa853286",
  "environment": {
    "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
  },
  "name": "email",
  "value": "${user.email}",
  "type": "CUSTOM",
  "resource": {
    "id": "faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
  }
}

Create resource attributes

The POST /environments/{environmentId}/resources/{resourceId}/attributes operation adds a new custom resource attribute. The request URL specifies the new attribute’s associated environment ID and resource ID.

curl -X "POST" "https://api.pingone.com/v1/environments/{environmentId}/resources/{resourceId}/attributes" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d $'{
  "name": "firstName",
  "value": "${user.name.given}"
}'

The request body must specify values for the attribute name and value properties. The name value must be unique within the specified environment resource and cannot use any of the reserve names.

The response data looks like this:

{
  "_links": {
    "self": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf/attributes/d13991db-145a-4f4c-802e-3f6526cb246c"
    },
    "environment": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
    },
    "resource": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
    }
  },
  "id": "d13991db-145a-4f4c-802e-3f6526cb246c",
  "environment": {
    "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
  },
  "name": "firstName",
  "value": "${user.name.given}",
  "type": "CUSTOM",
  "resource": {
    "id": "faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
  }
}

Update resource attributes

The PUT /environments/{environmentId}/resources/{resourceId}/attributes/{resourceAttributeId} operation updates the property values of the identified attribute.

curl -X "PUT" "https://api.pingone.com/v1/environments/{environmentId}/resources/{resourceId}/attributes/{resourceAttributeId}" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d $'{
  "name": "nickname",
  "value": "${user.nickname}"
}'

The response data looks like this:

{
  "_links": {
    "self": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf/attributes/84c17bdd-1aa4-4902-bea7-4e05fa853286"
    },
    "environment": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
    },
    "resource": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
    }
  },
  "id": "84c17bdd-1aa4-4902-bea7-4e05fa853286",
  "environment": {
    "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
  },
  "name": "nickname",
  "value": "${user.nickname}",
  "type": "CUSTOM",
  "resource": {
    "id": "faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
  }
}

Delete resource attributes

The following sample shows the DELETE /environments/{environmentId}/resources/{resourceId}/attributes/{resourceAttributeId} operation to delete the specified custom resource attribute.

curl -X DELETE "https://api.pingone.com/v1/environments/{environmentId}/resources/{resourceId}/attributes/{resourceAttributeId}" \
-H "Authorization: Bearer jwtToken"

When successful, the DELETE request returns a code 204 No Content message.